The problem with 22seven

Christo Davel, former head of now-defunct online bank 20twenty, sparked intense debate and provoked security warnings from local banks last week when he took the wraps off his new venture, personal financial management website 22seven. The start-up got itself noticed. But is the service safe to use?

22seven certainly looks cool. Using rich, animated design, it offers users a graphical way to see quickly where they are making and spending money and helps them set up targets for reaching their spending goals. It’s not a new concept, at least not internationally, but it is relatively new in SA. It’s a good idea and for the most part works well.

Except that there appears to be a fundamental flaw in 22seven’s business model. Instead of asking users to upload their bank statements to the site themselves, it requires them to enter their confidential banking login details directly on the 22seven site so that its US technology partner, Yodlee, can collect this information directly on a daily basis.

Not surprisingly, the banks have been quick to react, warning their customers not to divulge their security credentials to any third party. Some have even warned they may not honour payments to customers who have signed up for 22seven and become victims of fraud, even if that fraud is unrelated to the service.

This raises many questions, some of the answers to which don’t cast 22seven in a particularly favourable light. Why, for example, did the start-up not first speak to the banks about its plans? It was probably worried they would steal its ideas or even try to block the service. Those are legitimate concerns. But by asking users to divulge personal login information and not explaining in detail the dangers of doing this, it is exposing its customers to risk.

There are hazards for consumers because, no matter how secure 22seven and Yodlee say the service is (and there’s good reason to believe it is secure), banks could refuse to pay out for unrelated fraudulent activity on their accounts.

Will 22seven reimburse fraud victims where banks refuse to pay out? It doesn’t say, so presumably it has no policy in place to deal with this. This is problematic, to put it mildly.

Ideally, what should happen is the banks should make available an “application programming interface”, or API, that allows user-selected and bank-approved third parties like 22seven to access customers’ bank statements in read-only mode.

Whether the banks will do this — it’s not necessarily in their interest — is, of course, open to question. Absa has already said it’s developing its own online personal financial management product, so it’s probably not in its direct interests to publish an open API for third-party use, even if that API would benefit its customers.

Davel is a shrewd operator and knows the banking business inside out, so it is odd that he’s overlooked what seems (at least to this outsider) to be a gaping hole in 22seven’s business model. Some might argue he knew it would provoke a storm of protest from the banks, generating a wave of publicity for 22seven and pitching the start-up as the champion of consumers against the big, evil banks. However, that seems implausible and, even if true, highly risky for the start-up.

There may be a case for regulators to intervene to force the banks to publish open APIs, but then 22seven should have approached the former for advice and assistance before risking a fight with the banks and their armies of lawyers.

South Africans should always cheer on local start-ups. They create jobs and grow the economy. But consumers would be well advised to approach 22seven with some caution, at least for now.